Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] Error 'L2 ACE cannot follow L3 ACE' when committing the ACL configuration on the controller

0

0

Article ID: KB32313 KB Last Updated: 07 Feb 2018Version: 1.0
Summary:

This article provides the steps to correct the error, 'L2 ACE cannot follow L3 ACE'.

Symptoms:

While committing the ACL configuration on the controller, the following error is reported:

error: change rejected.
L2 ACE cannot follow L3 ACE

 

Cause:
The error "L2 ACE cannot follow L3 ACE" can be seen while committing the ACL, if the ACE entries are not in order. If ACL is mapped for inbound or outbound traffic then the controller will examine the traffic from line 1 ACE to the number of ACEs configured and pass the traffic. If the L2 ACEs are configured followed by L3 ACEs, then the ACL cannot be committed, and the error L2 ACE cannot follow L3 ACE will be reported.

 
Solution:

Perform the following steps:

  1. Confirm that the Access Control List contains a group of Access Control Entries (ACE), as per the network requirement.
  2. Confirm the ACLs used to control the traffic flow in both the direction, e.g. inbound traffic and outbound traffic.
  3. Correct the order of the ACEs.

    Example:

    Given this configuration:
    # set security acl name JTAC permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
    # set security acl name JTAC deny mac 00:11:22:aa:bb:cc 00:00:00:00:00:00 any ethertype any
    # commit security acl JTAC
    error: change rejected.
    L2 ACE cannot follow L3 ACE

    Note that the L2 ACE (MAC-based rule) is followed by the L3 ACE (IP-based rule). It cannot be committed because when the traffic enters the controller, the L3 parameter is reviewed as per the line 1 ACE configuration. Therefore, if the second line ACE contains L2 rules (MAC-based), then it is not logical to analyze the traffic.

    In the above case, if the L3 and L2 ACEs are swapped, then the ACL will be committed successfully.

    #set security acl name JTAC deny mac 00:11:22:aa:bb:cc 00:00:00:00:00:00 any ethertype any
    #set security acl name JTAC permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
    #commit security acl JTAC
    success: change accepted
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search